Ukash politie virus
Geplaatst: 08 aug 2012 10:43
Pc getroffen door UKash virus.
Hierbij de gevraagde logjes.
Alvast bedankt!
1) Malwarebytes
Malwarebytes Anti-Malware 1.62.0.1300
http://www.malwarebytes.org" onclick="window.open(this.href);return false;
Databaseversie: v2012.07.03.05
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: PC248 [administrator]
7/08/2012 16:12:36
mbam-log-2012-08-07 (16-12-36).txt
Scantype: Snelle scan
Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM
Uitgeschakelde scanopties: P2P
Objecten gescand: 329663
Verstreken tijd: 14 minuut/minuten, 17 seconde(n)
Geheugenprocessen gedetecteerd: 2
C:\WINDOWS\system32\system\Mssvc.exe (Backdoor.ServUDaemon) -> 588 -> Zal worden verwijderd tijdens het herstarten.
C:\WINDOWS\system32\system\ms-java.exe (Backdoor.IRCBot) -> 1932 -> Zal worden verwijderd tijdens het herstarten.
Geheugenmodulen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Registersleutels gedetecteerd: 2
HKLM\SYSTEM\CurrentControlSet\Services\Ms-java (Backdoor.IRCBot) -> Succesvol in quarantaine geplaatst en verwijderd.
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MS-JAVA (Backdoor.IRCBot) -> Succesvol in quarantaine geplaatst en verwijderd.
Registerwaarden gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Registerdata gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Mappen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Bestanden gedetecteerd: 9
C:\WINDOWS\system32\system\firewall.bat (Trojan.OnlineGames) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\WINDOWS\system32\system\giohack.bat (Trojan.OnlineGames) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\WINDOWS\system32\system\kill.bat (Trojan.OnlineGames) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\WINDOWS\system32\system\REC.bat (Trojan.OnlineGames) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\WINDOWS\system32\system\run.bat (Trojan.OnlineGames) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Documents and Settings\sc1521\0.5727536907340294.exe (Trojan.Agent.Gen) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\WINDOWS\system32\system\Mssvc.exe (Backdoor.ServUDaemon) -> Zal worden verwijderd tijdens het herstarten.
C:\WINDOWS\system32\system\convertxdccfile.exe (Backdoor.Iroffer) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\WINDOWS\system32\system\ms-java.exe (Backdoor.IRCBot) -> Zal worden verwijderd tijdens het herstarten.
(einde)
2) Emsisoft Emergency Kit
Emsisoft Emergency Kit - Versie 2.0
Laatste Update: N/A
Scaninstellingen:
Scantype: Diepe scan
Objecten: Rootkits, Geheugen, Sporen, C:\
Scan archieven: Aan
ADS Scan: Aan
Scan gestart: 8/08/2012 8:13:25
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095342.exe Ontdekt: Riskware.RiskTool.Win32.HideExec!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095345.exe Ontdekt: Trojan.Win32.Weelsof.AMN!E1
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095341.exe Ontdekt: Trojan.Hidewindows.C!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095346.exe Ontdekt: Trojan.Win32.Weelsof.AMN!E1
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095347.exe Ontdekt: Trojan.Win32.Weelsof.AMN!E1
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095340.exe Ontdekt: Riskware.Client-IRC.Win32.mIRC!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095350.PIF Ontdekt: Trojan.XdcBot.F!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095339.dll Ontdekt: Backdoor.IRC.Flood!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095349.ini Ontdekt: Backdoor.IRC.Zapchast!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095351.reg Ontdekt: VBS.Small!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095348.dll Ontdekt: Backdoor.IRC.Lambot.G!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095352.exe Ontdekt: Riskware.NetTool.Win32.PsKill!E2
Gescand 553748
Gevonden 12
Scan geëindigd: 8/08/2012 10:26:16
Scantijd: 2:12:51
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095352.exe Verwijderd Riskware.NetTool.Win32.PsKill!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095348.dll Verwijderd Backdoor.IRC.Lambot.G!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095351.reg Verwijderd VBS.Small!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095349.ini Verwijderd Backdoor.IRC.Zapchast!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095339.dll Verwijderd Backdoor.IRC.Flood!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095350.PIF Verwijderd Trojan.XdcBot.F!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095340.exe Verwijderd Riskware.Client-IRC.Win32.mIRC!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095341.exe Verwijderd Trojan.Hidewindows.C!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095345.exe Verwijderd Trojan.Win32.Weelsof.AMN!E1
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095346.exe Verwijderd Trojan.Win32.Weelsof.AMN!E1
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095347.exe Verwijderd Trojan.Win32.Weelsof.AMN!E1
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095342.exe Verwijderd Riskware.RiskTool.Win32.HideExec!E2
Verwijderd 12
3) DDS.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 10:27:00 on 2012-08-08
Microsoft Windows XP Professional 5.1.2600.3.1252.32.1043.18.1910.995 [GMT 2:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r260702\payload\wdm\stacsv.exe
svchost.exe
C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\TightVNC\tvnserver.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
c:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
E:\4 Emsisoft\start.exe
E:\4 Emsisoft\Run\a2emergencykit.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=be&l=nl&s=gen" onclick="window.open(this.href);return false;
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\tdmnot~1.lnk - c:\program files\wave systems corp\trusted drive manager\TdmNotify.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab" onclick="window.open(this.href);return false;
DPF: {640373B0-6978-4FA5-A9FC-420ECBBC61C7} - file://srvfile/GiS_Documenten$/Projecten/Lopende/A11F06/Div_Bestanden/Tekla/FASE%203/PublicWeb/dll/zkitlib.dll" onclick="window.open(this.href);return false;
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280903390496" onclick="window.open(this.href);return false;
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdat ... 1425018421" onclick="window.open(this.href);return false;
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab" onclick="window.open(this.href);return false;
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab" onclick="window.open(this.href);return false;
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab" onclick="window.open(this.href);return false;
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab" onclick="window.open(this.href);return false;
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
LSA: Authentication Packages = msv1_0 wvauth
Hosts: 192.50.1.39 SRVBACK
Hosts: 192.50.1.45 SRVALTEZ
Hosts: 192.50.1.46 SRVTS1
Hosts: 192.50.1.47 SRVEXCH
Hosts: 192.50.1.48 SRVFILE
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdfltn.sys [2010-7-7 17072]
R1 A2DDA;A2 Direct Disk Access Support Driver;e:\4 emsisoft\run\a2ddax86.sys [2012-8-7 17904]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-10-5 65584]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2010-5-10 1803584]
R2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\broadcom\mgmtagent\BrcmMgmtAgent.exe [2009-11-5 114688]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-11-21 278304]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-1-31 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-1-31 108392]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-12-10 376608]
R2 InstallFilterService;FF Install Filter Service;c:\program files\stmicroelectronics\accelerometerp11\InstallFilterService.exe [2010-7-7 60928]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-7-7 59904]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-1-31 1839776]
R2 tvnserver;TightVNC Server;c:\program files\tightvnc\tvnserver.exe [2010-7-8 815704]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [2010-7-7 42672]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-7-7 113664]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-5-31 106656]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-7-7 132480]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-7-7 235520]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120805.009\NAVENG.SYS [2012-8-6 87928]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120805.009\NAVEX15.SYS [2012-8-6 1589752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-3-25 23888]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-5-8 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-08-07 15:45:23 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-08-07 14:52:30 -------- d-----w- c:\documents and settings\administrator.altez\application data\ICAClient
2012-08-07 14:52:29 -------- d-----w- c:\documents and settings\administrator.altez\local settings\application data\Citrix
2012-08-07 14:39:35 -------- d-----w- c:\documents and settings\administrator.altez\application data\EurekaLog
2012-08-07 14:11:37 -------- d-----w- c:\documents and settings\administrator.altez\application data\Malwarebytes
2012-08-07 14:11:24 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-08-07 14:11:23 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-07 14:11:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-07 14:10:54 -------- d-sh--w- c:\documents and settings\administrator.altez\IETldCache
2012-08-01 09:41:09 -------- d-----w- c:\documents and settings\all users\application data\gmxwviwhynenynl
.
==================== Find3M ====================
.
2012-06-02 13:19:44 18456 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 13:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 13:19:30 15896 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 13:19:24 15896 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:19:18 24088 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-05-31 13:22:05 602624 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:09:47 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:55:08 1872256 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:44:13 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:44:13 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:39:29 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 10:28:01,31 ===============
Hierbij de gevraagde logjes.
Alvast bedankt!
1) Malwarebytes
Malwarebytes Anti-Malware 1.62.0.1300
http://www.malwarebytes.org" onclick="window.open(this.href);return false;
Databaseversie: v2012.07.03.05
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: PC248 [administrator]
7/08/2012 16:12:36
mbam-log-2012-08-07 (16-12-36).txt
Scantype: Snelle scan
Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM
Uitgeschakelde scanopties: P2P
Objecten gescand: 329663
Verstreken tijd: 14 minuut/minuten, 17 seconde(n)
Geheugenprocessen gedetecteerd: 2
C:\WINDOWS\system32\system\Mssvc.exe (Backdoor.ServUDaemon) -> 588 -> Zal worden verwijderd tijdens het herstarten.
C:\WINDOWS\system32\system\ms-java.exe (Backdoor.IRCBot) -> 1932 -> Zal worden verwijderd tijdens het herstarten.
Geheugenmodulen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Registersleutels gedetecteerd: 2
HKLM\SYSTEM\CurrentControlSet\Services\Ms-java (Backdoor.IRCBot) -> Succesvol in quarantaine geplaatst en verwijderd.
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MS-JAVA (Backdoor.IRCBot) -> Succesvol in quarantaine geplaatst en verwijderd.
Registerwaarden gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Registerdata gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Mappen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Bestanden gedetecteerd: 9
C:\WINDOWS\system32\system\firewall.bat (Trojan.OnlineGames) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\WINDOWS\system32\system\giohack.bat (Trojan.OnlineGames) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\WINDOWS\system32\system\kill.bat (Trojan.OnlineGames) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\WINDOWS\system32\system\REC.bat (Trojan.OnlineGames) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\WINDOWS\system32\system\run.bat (Trojan.OnlineGames) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Documents and Settings\sc1521\0.5727536907340294.exe (Trojan.Agent.Gen) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\WINDOWS\system32\system\Mssvc.exe (Backdoor.ServUDaemon) -> Zal worden verwijderd tijdens het herstarten.
C:\WINDOWS\system32\system\convertxdccfile.exe (Backdoor.Iroffer) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\WINDOWS\system32\system\ms-java.exe (Backdoor.IRCBot) -> Zal worden verwijderd tijdens het herstarten.
(einde)
2) Emsisoft Emergency Kit
Emsisoft Emergency Kit - Versie 2.0
Laatste Update: N/A
Scaninstellingen:
Scantype: Diepe scan
Objecten: Rootkits, Geheugen, Sporen, C:\
Scan archieven: Aan
ADS Scan: Aan
Scan gestart: 8/08/2012 8:13:25
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095342.exe Ontdekt: Riskware.RiskTool.Win32.HideExec!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095345.exe Ontdekt: Trojan.Win32.Weelsof.AMN!E1
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095341.exe Ontdekt: Trojan.Hidewindows.C!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095346.exe Ontdekt: Trojan.Win32.Weelsof.AMN!E1
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095347.exe Ontdekt: Trojan.Win32.Weelsof.AMN!E1
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095340.exe Ontdekt: Riskware.Client-IRC.Win32.mIRC!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095350.PIF Ontdekt: Trojan.XdcBot.F!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095339.dll Ontdekt: Backdoor.IRC.Flood!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095349.ini Ontdekt: Backdoor.IRC.Zapchast!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095351.reg Ontdekt: VBS.Small!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095348.dll Ontdekt: Backdoor.IRC.Lambot.G!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095352.exe Ontdekt: Riskware.NetTool.Win32.PsKill!E2
Gescand 553748
Gevonden 12
Scan geëindigd: 8/08/2012 10:26:16
Scantijd: 2:12:51
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095352.exe Verwijderd Riskware.NetTool.Win32.PsKill!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095348.dll Verwijderd Backdoor.IRC.Lambot.G!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095351.reg Verwijderd VBS.Small!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095349.ini Verwijderd Backdoor.IRC.Zapchast!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095339.dll Verwijderd Backdoor.IRC.Flood!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095350.PIF Verwijderd Trojan.XdcBot.F!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095340.exe Verwijderd Riskware.Client-IRC.Win32.mIRC!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095341.exe Verwijderd Trojan.Hidewindows.C!E2
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095345.exe Verwijderd Trojan.Win32.Weelsof.AMN!E1
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095346.exe Verwijderd Trojan.Win32.Weelsof.AMN!E1
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095347.exe Verwijderd Trojan.Win32.Weelsof.AMN!E1
C:\System Volume Information\_restore{2FF6B188-2E29-4077-A784-C8AFB9034EDC}\RP403\A0095342.exe Verwijderd Riskware.RiskTool.Win32.HideExec!E2
Verwijderd 12
3) DDS.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 10:27:00 on 2012-08-08
Microsoft Windows XP Professional 5.1.2600.3.1252.32.1043.18.1910.995 [GMT 2:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r260702\payload\wdm\stacsv.exe
svchost.exe
C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\TightVNC\tvnserver.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
c:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
E:\4 Emsisoft\start.exe
E:\4 Emsisoft\Run\a2emergencykit.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=be&l=nl&s=gen" onclick="window.open(this.href);return false;
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\tdmnot~1.lnk - c:\program files\wave systems corp\trusted drive manager\TdmNotify.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab" onclick="window.open(this.href);return false;
DPF: {640373B0-6978-4FA5-A9FC-420ECBBC61C7} - file://srvfile/GiS_Documenten$/Projecten/Lopende/A11F06/Div_Bestanden/Tekla/FASE%203/PublicWeb/dll/zkitlib.dll" onclick="window.open(this.href);return false;
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280903390496" onclick="window.open(this.href);return false;
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdat ... 1425018421" onclick="window.open(this.href);return false;
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab" onclick="window.open(this.href);return false;
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab" onclick="window.open(this.href);return false;
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab" onclick="window.open(this.href);return false;
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab" onclick="window.open(this.href);return false;
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
LSA: Authentication Packages = msv1_0 wvauth
Hosts: 192.50.1.39 SRVBACK
Hosts: 192.50.1.45 SRVALTEZ
Hosts: 192.50.1.46 SRVTS1
Hosts: 192.50.1.47 SRVEXCH
Hosts: 192.50.1.48 SRVFILE
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdfltn.sys [2010-7-7 17072]
R1 A2DDA;A2 Direct Disk Access Support Driver;e:\4 emsisoft\run\a2ddax86.sys [2012-8-7 17904]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-10-5 65584]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2010-5-10 1803584]
R2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\broadcom\mgmtagent\BrcmMgmtAgent.exe [2009-11-5 114688]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-11-21 278304]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-1-31 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-1-31 108392]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-12-10 376608]
R2 InstallFilterService;FF Install Filter Service;c:\program files\stmicroelectronics\accelerometerp11\InstallFilterService.exe [2010-7-7 60928]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-7-7 59904]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-1-31 1839776]
R2 tvnserver;TightVNC Server;c:\program files\tightvnc\tvnserver.exe [2010-7-8 815704]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [2010-7-7 42672]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-7-7 113664]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-5-31 106656]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-7-7 132480]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-7-7 235520]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120805.009\NAVENG.SYS [2012-8-6 87928]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120805.009\NAVEX15.SYS [2012-8-6 1589752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-3-25 23888]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-5-8 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-08-07 15:45:23 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-08-07 14:52:30 -------- d-----w- c:\documents and settings\administrator.altez\application data\ICAClient
2012-08-07 14:52:29 -------- d-----w- c:\documents and settings\administrator.altez\local settings\application data\Citrix
2012-08-07 14:39:35 -------- d-----w- c:\documents and settings\administrator.altez\application data\EurekaLog
2012-08-07 14:11:37 -------- d-----w- c:\documents and settings\administrator.altez\application data\Malwarebytes
2012-08-07 14:11:24 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-08-07 14:11:23 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-07 14:11:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-07 14:10:54 -------- d-sh--w- c:\documents and settings\administrator.altez\IETldCache
2012-08-01 09:41:09 -------- d-----w- c:\documents and settings\all users\application data\gmxwviwhynenynl
.
==================== Find3M ====================
.
2012-06-02 13:19:44 18456 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 13:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 13:19:30 15896 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 13:19:24 15896 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:19:18 24088 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-05-31 13:22:05 602624 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:09:47 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:55:08 1872256 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:44:13 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:44:13 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:39:29 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 10:28:01,31 ===============